feat(ci): add support for aarch64-unknown-linux-musl target

[YufJi]

Summary

• Base branch target: master
• Problem: The aarch64-unknown-linux-musl matrix entry was misconfigured, leaving no release asset available for devices such as OpenWrt-based routers
• What changed: Added the cross-compiler fields with use_zigbuild: true; added an install step for cargo-zigbuild + ziglang; updated the build step to branch on use_zigbuild
• What did not change: All other build targets (x86_64-unknown-linux-gnu, aarch64-unknown-linux-gnu, aarch64-apple-darwin, x86_64-pc-windows-msvc) are untouched

Label Snapshot (required)

• Risk label: risk: low
• Size label: size: XS
• Scope labels: ci
• Module labels: N/A
• Contributor tier label: (auto-managed)
• If any auto-label is incorrect, note requested correction: N/A

Change Metadata

• Change type: feature
• Primary scope: ci

Linked Issue

• Closes #
• Related #
• Depends on: N/A
• Supersedes: N/A

Supersede Attribution (required when Supersedes # is used)

N/A

Validation Evidence (required)

CI workflow config change only — no Rust source changes

forked repo's action built successfully:

validated target aarch64-unknown-linux-musl asset worked on my router:

Security Impact (required)

• New permissions/capabilities? No
• New external network calls? Yes — pip3 install ziglang (PyPI) and cargo install cargo-zigbuild (crates.io), scoped to the musl build job only; both are standard CI dependency installation patterns
• Secrets/tokens handling changed? No
• File system access scope changed? No
• If any Yes, describe risk and mitigation: Both packages are well-known public packages; versions can be pinned in a follow-up PR if stricter supply-chain control is required

Privacy and Data Hygiene (required)

• Data-hygiene status: pass
• Redaction/anonymization notes: N/A
• Neutral wording confirmation: N/A — pure CI config change, no identity-like wording involved

Compatibility / Migration

• Backward compatible? Yes
• Config/env changes? No
• Migration needed? No

Side Effects / Blast Radius (required)

• Affected subsystems/workflows: aarch64-unknown-linux-musl matrix job in release.yml build stage only
• Potential unintended effects: cargo install cargo-zigbuild adds ~1–2 min to the musl job; all other target jobs are unaffected
• Guardrails/monitoring for early detection: fail-fast: false is already set — a musl job failure will not cancel other platform builds

Rollback Plan (required)

• Fast rollback command/path: git revert <commit> to restore release.yml to the pre-change state; no stateful dependencies
• Feature flags or config toggles: None
• Observable failure symptoms: musl job fails with cargo-zigbuild: command not found or pip install ziglang error

Risks and Mitigations

None

Summary by CodeRabbit

• Chores
  • Added support for aarch64 (ARM64) Linux musl builds to release workflows.
  • Introduced an optional Zig-based build path to produce ARM64 artifacts when enabled.
  • CI now conditionally installs the Zig/cargo-zigbuild toolchain only when the Zig path is used, preserving existing non-Zig build behavior for other targets.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Note

.coderabbit.yaml has unrecognized properties

CodeRabbit is using all valid settings from your configuration. Unrecognized properties (listed below) have been ignored and may indicate typos or deprecated fields that can be removed.

⚠️ Parsing warnings (1)

Validation error: Unrecognized key(s) in object: 'tools', 'path_filters', 'review_instructions'

⚙️ Configuration instructions

• Please see the configuration documentation for more information.
• You can also validate your configuration using the online YAML validator.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

📝 Walkthrough

Walkthrough

Adds an ARM64 musl matrix entry to two GitHub Actions release workflows and conditionally uses Zig tooling: installs zig and cargo-zigbuild when enabled and runs cargo zigbuild for musl targets; other targets keep the previous build and packaging steps unchanged.

Changes

Cohort / File(s)	Summary
GitHub Actions workflows .github/workflows/release-beta-on-push.yml, .github/workflows/release-stable-manual.yml	Added aarch64-unknown-linux-musl matrix entry with use_zigbuild: true; added conditional Install cargo-zigbuild step (installs zig and cargo-zigbuild); modified Build release step to run cargo zigbuild --release --locked --target when use_zigbuild is true, otherwise preserve previous cargo build flow (including optional linker env export).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

size: XS, ci

Suggested reviewers

• JordanTheJet
• chumyin

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: adding aarch64-unknown-linux-musl target support via zigbuild integration in CI workflows.
Description check	✅ Passed	The PR description addresses all required template sections with substantive content, including validation evidence with screenshots, security analysis, and comprehensive metadata.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/release.yml:
- Around line 88-92: Update the PR notes and docs/actions-source-policy.md to
document that the release workflow step named "Install cargo-zigbuild" now pulls
from PyPI (via the command pip3 install ziglang) and crates.io (via cargo
install cargo-zigbuild); add allowlist entries for PyPI and crates.io, include
the exact commands/packagenames (ziglang and cargo-zigbuild) and a short
justification so reviewers can audit these new external sources.
- Around line 88-92: The "Install cargo-zigbuild" step currently installs
floating releases; update that step to pin both Zig and cargo-zigbuild by
specifying exact versions (replace "pip3 install ziglang" with a pinned package
version like "pip3 install ziglang==<ZIG_VERSION>" or the project's chosen
installer/token) and install cargo-zigbuild with a pinned crate version and the
--locked flag (replace "cargo install cargo-zigbuild" with "cargo install
cargo-zigbuild --version <CARGO_ZIGBUILD_VERSION> --locked"); keep the
conditional matrix.use_zigbuild and ensure the chosen version strings are added
as workflow inputs or constants so they can be updated reproducibly.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: c001bc92-1eae-4886-bf61-f2de3335dc60

📥 Commits

Reviewing files that changed from the base of the PR and between f7fefd4 and 797aa5e.

📒 Files selected for processing (1)

• .github/workflows/release.yml

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/release.yml (1)

88-92: Add --locked flag to cargo install for consistency with other build steps.

The version pins are correct and verified. However, this install step should also use --locked to match the reproducibility approach used in the main build commands (lines 98 and 103), ensuring the tool's own lockfile is honored:

Suggested change

       - name: Install cargo-zigbuild
         if: matrix.use_zigbuild
         run: |
           pip3 install ziglang==0.15.2
-          cargo install cargo-zigbuild --version 0.22.1
+          cargo install cargo-zigbuild --version 0.22.1 --locked

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yml around lines 88 - 92, The workflow step named
"Install cargo-zigbuild" uses `cargo install cargo-zigbuild --version 0.22.1`
without the --locked flag; update that command to include --locked so the
install honors Cargo.lock for reproducible builds (i.e., change the `cargo
install cargo-zigbuild --version 0.22.1` invocation in the "Install
cargo-zigbuild" step to add --locked).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/release.yml:
- Around line 88-92: The workflow step named "Install cargo-zigbuild" uses
`cargo install cargo-zigbuild --version 0.22.1` without the --locked flag;
update that command to include --locked so the install honors Cargo.lock for
reproducible builds (i.e., change the `cargo install cargo-zigbuild --version
0.22.1` invocation in the "Install cargo-zigbuild" step to add --locked).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: e6a1319b-8cee-4f22-be7a-baaee55e7f5b

📥 Commits

Reviewing files that changed from the base of the PR and between a45aa2c and 100daaa.

📒 Files selected for processing (1)

• .github/workflows/release.yml

[coderabbitai]

🧹 Nitpick comments (2)

.github/workflows/release-beta-on-push.yml (1)

88-92: Make the Zig tool bootstrap deterministic.

Same concern as in the stable workflow: this relies on the runner’s default Python and on cargo install without --locked. GitHub recommends using setup-python to make the interpreter explicit, and Cargo only uses the published lockfile for installs when --locked is passed. Tightening both would make the beta musl lane more reproducible. (docs.github.com)

Proposed hardening

+      - uses: actions/setup-python@v5
+        if: matrix.use_zigbuild
+        with:
+          python-version: '3.12'
+
       - name: Install cargo-zigbuild
         if: matrix.use_zigbuild
         run: |
-          pip3 install ziglang==0.15.2
-          cargo install cargo-zigbuild --version 0.22.1
+          python -m pip install ziglang==0.15.2
+          cargo install --locked cargo-zigbuild --version 0.22.1

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release-beta-on-push.yml around lines 88 - 92, Update the
"Install cargo-zigbuild" step to make the Zig bootstrap deterministic: use the
actions/setup-python action to pin the Python interpreter instead of calling
pip3 directly (refer to the step name "Install cargo-zigbuild" and condition
"matrix.use_zigbuild"), and invoke cargo install for "cargo-zigbuild" with the
--locked flag (the current command is "cargo install cargo-zigbuild --version
0.22.1") so Cargo respects the lockfile; ensure the step runs the explicit
setup-python action before running the pip install and cargo install commands.

.github/workflows/release-stable-manual.yml (1)

106-110: Make the Zig tool bootstrap deterministic.

This step still depends on runner-image defaults in two places: GitHub recommends setup-python when a workflow needs Python because the hosted runner’s default Python can change, and Cargo ignores a package’s published lockfile unless cargo install --locked is used. Pinning a Python version and adding --locked here would make this musl job much less likely to break because of image drift or transitive dependency churn. (docs.github.com)

Proposed hardening

+      - uses: actions/setup-python@v5
+        if: matrix.use_zigbuild
+        with:
+          python-version: '3.12'
+
       - name: Install cargo-zigbuild
         if: matrix.use_zigbuild
         run: |
-          pip3 install ziglang==0.15.2
-          cargo install cargo-zigbuild --version 0.22.1
+          python -m pip install ziglang==0.15.2
+          cargo install --locked cargo-zigbuild --version 0.22.1

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release-stable-manual.yml around lines 106 - 110, Update
the "Install cargo-zigbuild" step to make the Zig bootstrap deterministic: add a
prior call to actions/setup-python to pin a specific Python version (e.g., 3.x)
instead of relying on the runner default so the pip3 install ziglang==0.15.2 is
deterministic, and change the cargo install invocation (the cargo install
cargo-zigbuild --version 0.22.1 command) to include --locked so Cargo respects
the published lockfile and avoids transitive dependency drift.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/release-beta-on-push.yml:
- Around line 88-92: Update the "Install cargo-zigbuild" step to make the Zig
bootstrap deterministic: use the actions/setup-python action to pin the Python
interpreter instead of calling pip3 directly (refer to the step name "Install
cargo-zigbuild" and condition "matrix.use_zigbuild"), and invoke cargo install
for "cargo-zigbuild" with the --locked flag (the current command is "cargo
install cargo-zigbuild --version 0.22.1") so Cargo respects the lockfile; ensure
the step runs the explicit setup-python action before running the pip install
and cargo install commands.

In @.github/workflows/release-stable-manual.yml:
- Around line 106-110: Update the "Install cargo-zigbuild" step to make the Zig
bootstrap deterministic: add a prior call to actions/setup-python to pin a
specific Python version (e.g., 3.x) instead of relying on the runner default so
the pip3 install ziglang==0.15.2 is deterministic, and change the cargo install
invocation (the cargo install cargo-zigbuild --version 0.22.1 command) to
include --locked so Cargo respects the published lockfile and avoids transitive
dependency drift.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 93a10e41-780c-415b-8e76-515fb6912dfb

📥 Commits

Reviewing files that changed from the base of the PR and between 100daaa and 235e542.

📒 Files selected for processing (2)

• .github/workflows/release-beta-on-push.yml
• .github/workflows/release-stable-manual.yml

[rareba]

Core implementation is sound — the zigbuild approach is standard for musl cross-compilation, versions are pinned, and existing targets are untouched. One required change:

Required: Update docs/contributing/actions-source-policy.md
This PR introduces two new supply-chain surfaces into the release pipeline:

• PyPI: ziglang==0.15.2
• crates.io: cargo-zigbuild==0.22.1

Per the guardrails in actions-source-policy.md, these should be documented in this PR, not deferred.

Suggested (non-blocking):

• Add --locked to cargo install cargo-zigbuild --version 0.22.1 for full transitive dependency reproducibility
• Consider actions/setup-python@v5 before the pip install step (currently relies on implicit runner Python)

The build logic branching is clean, both workflows are kept in sync, and no existing targets are affected.

[rareba]

Quick fix list to get this merged:

Required: Update docs/contributing/actions-source-policy.md

Add a section documenting the new supply-chain sources:

### musl Cross-Compilation Dependencies (aarch64-unknown-linux-musl job only)

| Source | Package | Version | Purpose |
|--------|---------|---------|---------|
| PyPI | ziglang | 0.15.2 | Zig toolchain for musl cross-compilation |
| crates.io | cargo-zigbuild | 0.22.1 | Cargo subcommand wrapping Zig linker |

Both are pinned to exact versions in the workflow matrix.

Suggested: Add --locked flag

cargo install cargo-zigbuild --version 0.22.1 --locked

After the docs update + rebase, this is ready to merge.